CVE-2026-52976
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()
Two error handling issues exist in xe_exec_queue_create_ioctl():
When xe_hw_engine_group_add_exec_queue() fails, the error path jumps to put_exec_queue which skips xe_exec_queue_kill(). If the VM is in preempt fence mode, xe_vm_add_compute_exec_queue() has already added the queue to the VM's compute exec queue list. Skipping the kill leaves the queue on that list, leading to a dangling pointer after the queue is freed.
When xa_alloc() fails after xe_hw_engine_group_add_exec_queue() has succeeded, the error path does not call xe_hw_engine_group_del_exec_queue() to remove the queue from the hw engine group list. The queue is then freed while still linked into the hw engine group, causing a use-after-free.
Fix both by:
- Changing the xe_hw_engine_group_add_exec_queue() failure path to jump to kill_exec_queue so that xe_exec_queue_kill() properly removes the queue from the VM's compute list.
- Adding a del_hw_engine_group label before kill_exec_queue for the xa_alloc() failure path, which removes the queue from the hw engine group before proceeding with the rest of the cleanup.
(cherry picked from commit 37c831f401746a45d510b312b0ed7a77b1e06ec8)
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 7970cb36966c9b9183255dc097ae0446300eebcf < f93b00161213a0fe9f7ff1d8498ee5ca9e0a5c43 | affected |
| Linux | Linux | 7970cb36966c9b9183255dc097ae0446300eebcf < 753b149d5a433eb19e0c1b0eb4526a6e26120d1f | affected |
| Linux | Linux | 7970cb36966c9b9183255dc097ae0446300eebcf < 1be55646d8a2035343b012dcb12210db7bb8b056 | affected |
| Linux | Linux | 7970cb36966c9b9183255dc097ae0446300eebcf < f3cc22d4df3ed58439ea7e21daa54c3608e03b78 | affected |
| Linux | Linux | 6.12 | affected |
| Linux | Linux | 0 < 6.12 | unaffected |
| Linux | Linux | 6.12.91 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.33 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.10 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
ADP Enrichment
kernel: drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()
Additional References
- https://access.redhat.com/security/cve/CVE-2026-52976
- https://bugzilla.redhat.com/show_bug.cgi?id=2492284
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52976.json
References
- https://git.kernel.org/stable/c/f93b00161213a0fe9f7ff1d8498ee5ca9e0a5c43
- https://git.kernel.org/stable/c/753b149d5a433eb19e0c1b0eb4526a6e26120d1f
- https://git.kernel.org/stable/c/1be55646d8a2035343b012dcb12210db7bb8b056
- https://git.kernel.org/stable/c/f3cc22d4df3ed58439ea7e21daa54c3608e03b78
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.